What to do with AD published certificates when decommissioning a CA?

Posted on 2010-01-04
Last Modified: 2012-05-08
Decommissioning a poorly maintained Windows 2003 Enterprise Root CA and its subordinate CA in preparation for replacing it with a brand new Windows 2008 AD CS based PKI.  Over the years, the old subordinate CA issued quite a few certificates.. most are expired, the rest are easily identifiable.

Prepared to follow instructions in Microsoft KB889250 to remove the CA, but there is no mention of what to do about the certificates that were published into AD.  E-mail admin mentioned that Exchange complains all the time about expired certs when rebuilding the GAL.. got to thinking maybe we need to manually purge those out of the directory too.

Any advice how to carry this out, or if it's even advisable?
Question by:dtadmin
    LVL 49

    Expert Comment

    If you don't need the certificates that were published from this CA and haven't expired yet then I  see no reason why keeping them published in AD, I know I have deleted certificates from AD from unused CA's many times never had an issue.

    hope it helps
    LVL 31

    Expert Comment

    When you revoke all of the certificates and publish the CRL, AD should no longer display them.

    If there are just a few, you can remove them from AD manually if you really want to beforehand in AD Users & Computers if you View - Advanced then pull up the user accounts and view the certs tab.

    Author Comment

    By what mechanism does a certificate get cleared out of the directory upon revocation?  We've revoked all but a couple certificates that we know we need yet they all still appear to be published under the user accounts.  I'm not sure where to start troubleshooting this.
    LVL 31

    Accepted Solution

    When AD goes to check the cert, it will not display expired/revoked/otherwise invalid certs.  The DC may still be looking at a cached CRL, or the CA may not have published a new CRL yet.  A new delta CRL may be created on the CA 'certutil -crl delta' which should be fine, otherwise a base CRL could be made (certutil -crl) - or you can do this in the CA MMC rigth click Revoked - all tasks - publish.  There should be a .crl file in system32\certsrv\certenroll folder.

    The delta CRL will be looked at more frequently (check the CA MMC - properties of revoked certs folder - to determine settings, including if delta CRLs are supported).  You can copy out the CRL files to the CDP locations defined in the CA properties - extenstions tab.  You could also install on DC directly, manually browsing and checking 'show physical stores' and select trusted root certification authorities - local computer.  Note that if the CRL renewal time is far off (validity period value - renewal value + time last CRL was issued) then you may need to install it manually to override using the cached CRL as it will not look otherwise until the "next update' period comes up.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now